Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
- X-seq: zsh-workers 39459
- From: Oliver Kiddle <okiddle@xxxxxxxxxxx>
- To: Mateusz Lenik <mlen@xxxxxxx>
- Subject: Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
- Date: Tue, 27 Sep 2016 10:56:47 +0200
- Cc: zsh-workers@xxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1474966607; bh=etV/5BWMxz/wcEZ64y+F6RpxbQyztPx6GcOpE7yGkMc=; h=cc:In-reply-to:From:References:To:Subject:Date:From:Subject; b=IfNclNwizo1pyNo6vvWjuGtQ9DiLNIrSj3T70xYA9BRs4U0i+E2B5BpwXTKM8HM+w5uQRuc2BLPaQGQrsaZNPhSTF5/MpLi/HpQDPrUVTGBCBxkqcmLyQ9chpZzFYXFyHuqv7ow7RSmr4WsuX481u2VZMdqV/1wVqLzTuPvBgdRNcwAMq4S0l4dHEj/4TYSvb0CEgiVGx6gTF4D+5fxUJhCFcKE9uHErzSy9Zu5As6jCCFBE2Jhoabcz2ma3dUWkSH5OWsslyAWp1JvB6YCYrRWJNl0oUXSjBE7uOjRLjdjT2rTma6DoSrHeIR44yZAiGzqSAQ3HvWkdgqbqAY1EVg==
- In-reply-to: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com>
Mateusz Lenik wrote:
> I just learned that bash fixed a vulnerability that also affects zsh. It
> allowed to run arbitrary programs by crafting SHELLOPTS and PS4 variables
> against setuid binaries using system/popen.
Given that zsh doesn't support the SHELLOPTS variable at all, it doesn't
make sense for zsh to be apparently vulnerable.
> Steps to reproduce:
> % gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
This attack is directed against the shell that system() runs, i.e.
/bin/sh and not the shell from which the setuid binary is invoked. Did
you have /bin/sh linked to zsh. If it was linked to bash then these
steps are merely reproducing the bash bug in bash.
Zsh also needs the prompt_subst option to enable command substitution in
PS4. Perhaps there's an argument for not importing PS4 from the
environment in certain cases anyway but I can't see any security issue.
Oliver
Messages sorted by:
Reverse Date,
Date,
Thread,
Author